?
Solved

Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block inheritance set?

Posted on 2008-10-15
5
Medium Priority
?
391 Views
Last Modified: 2010-04-21
Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block policy inheritance set?  I want to block a software GPO policy on particular computers, but I don't want to move the computer(s) to their own OU.

Thank you!
0
Comment
Question by:cc_mbx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 13

Accepted Solution

by:
martin_babarik earned 800 total points
ID: 22728410
Hello.

yes it quite simple: put all of those computers to a security group and in Group policy management console select the GPO you want to block, switch to a Delegation tab, add a group here to a list, then select the group, click Advanced and assign them Deny permission for Read and Apply group policy object.
Martin
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 400 total points
ID: 22729395
It's important to note that the computers in question will need to be rebooted after they have been added to the security group in question.
0
 
LVL 6

Assisted Solution

by:deiaccord
deiaccord earned 800 total points
ID: 22729539
Another alternative is when you link the GPO associate it with a WMI filter.

To create a WMI filter under Group Policy Management you should have a WMI filters section for the domain in question. Create a new filter with settings something like the below

Namespace: root\CIMV2
Query: SELECT * FROM Win32_ComputerSystem WHERE Name <> 'Computer1' OR Name <> 'Computer2'

Attach this to your GPO and computers called Computer1 or Computer2 will not get the GPO applied to them
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 22729705
Thank you Laura for adding this comment, quite important:-)
Martin
0
 

Author Closing Comment

by:cc_mbx
ID: 31506608
Thank you!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month15 days, 17 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question